21.0.0: Difference between revisions

(7 intermediate revisions by 2 users not shown)

Line 1:

The Switch 21.0.0 system update was released on November 11, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: ~~<fill~~ this ~~in manually~~ later~~, see the updatedetails page from the ninupdates-report page(s~~) ~~once available for~~ now>.

Security flaws fixed: yes.

As of December 18, 2025 (UTC), this sysupdate (or later?) is now required by [[Network|dauth]].

==Change-log==

Line 29:

Line 31:

** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, ClientCertData, GameCardConfigurationData.

** Applets: qlaunch, auth, cabinet, controller, dataErase, error, playerSelect, swkbd, miiEdit, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.

The [[NGCT_services|ngct]]-sysmodule is now stubbed, the ngct:u service was moved into [[NGC_services|ngc]].

[[NPDM]] changes (besides usual version-bump):

Line 62:

Line 66:

** "/lyt/Browse/TapHighlight.arc" added

** "/message/": Various data updated.

** "/nro/netfront/core_0/default/" ~~removed~~

** "/nro/netfront/core_0/default/cfi_disabled" moved to "/nro/netfront/core_0/Default/cfi_nocfi".

** "/nro/netfront/core_0/Default/" ~~added~~

** "/nro/netfront/core_3/default/cfi_enabled" moved to "/nro/netfront/core_3/Default/cfi_nncfi".

** "/nro/netfront/core_3/default/" ~~removed~~

** "/nro/netfront/core_3/Default/" ~~added~~

* Help: "/legallines.htdocs/index.html" updated

* NgWord: "/0.txt" updated, "/version.dat" updated

Line 341:

Line 343:

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Kernel ====

* Compiler was upgraded (to clang 18.1.0+).

** Besides the usual reordering, this is now most noticeable in the following:

*** Many atomic st(l)xrs now use cmp + csetm + tbz instead of cbnz.

**** Testing on godbolt indicates this seems to be a change made in clang 18.1.0+ (not present in 17.0.1).

*** Many cases where they previously did some_condition ? m_a : m_b now have different assembly.

**** Previously: add Xn, Xz, #A; add Xm, Xz, #B; csel Xn, Xn, Xm; ldr Xn, [Xn]

**** Now: mov Xn, #A; mov Xn, #B; csel Xn, Xn, Xm; ldr Xn, [Xz, Xn]

*** Many cases of booleans now explicitly test for 1 instead of <any non-zero value>

**** Previously: ldrb w8, [x8]; cbz w8, some_loc

**** Now: ldrb w8, [x8]; cmp w8, #1; b.ne some_loc

** Many, many cases of superfluous red-black-tree iteration prior to calls to KIntrusiveRedBlackTree::Remove have finally been optimized out.

*** Basically, KIntrusiveRedBlackTree::erase returns an iterator to the next item in the tree.

*** Previously, the table walk to find the next item was being performed even when the result was discarded/not-used, which was almost every case.

*** Now, it's successfully getting optimized out.

* KAutoObject's class token has been devirtualized.

** It is now stored as a 16-bit value in previously unused padding bytes, after the reference count.

** KAutoObject::Create() sets this to the correct value when setting refcount=1.

** This implementation is generally identical to the one already present in mesosphere.

* HandleFloatingPointException now sets a previously unused StackParameters flag (+0x2F) to 1.

** This flag doesn't seem to be referenced/used anywhere else in the kernel?

* KThread StackParameter exception_flags bitflags are now volatile and mostly atomic; many bits now use atomic read-modify-write loops to set and clear bits.

** This is not done for bit 0 ("is in svc"), accesses specifically for bit 0 continue to use non-atomic reads/writes.

** This generates pretty terrible assembly for GetThreadUserContext, which now must perform a volatile read of this value over and over in a loop.

* KIoRegion fields were reordered to save 8 bytes.

** The 8-byte size/alignment lock field is no longer wedged inbetween two 1-byte booleans.

* KScheduler::SwitchThread now writes a tick differential (thread->GetCpuTime() - context_switch_time) to user-tls + 0x108.

** NOTE: This is an ABI change which will not affect official software, but will force any homebrew software which uses TLS-slots to need re-compile.

* UserspaceAccess::CopyMemoryToUserSize32Bit now takes in a 32-bit word to write, instead of a kernel-pointer-to-32-bit-word.

* Nintendo appears to have done something akin to marking nn::Result nodiscard + gone through and fixed literally every instance of Result return values not being used.

** This results in sweeping changes (many Result-return functions are now void return, many new kernel panics, some changed behaviors), including e,g,

** KInterruptManager::ClearInterrupt no longer checks if a handler has been registered, and always clear the table entry.

** KInterruptManager::UnbindHandler is now void-return instead of Result; it no longer checks if the handler has been registered, and unconditionally clears to unbound state.

** KPageTableBase::InitializeForKernel now returns void, and panics if the KMemoryBlockManager::Initialize fails.

** KDebugBase::OnExitProcess/OnTerminateProcess now return void instead of Result.

** KEvent/KReadableEvent::Signal/Clear now return void instead of Result; svc::ClearEvent/SignalEvent now just calls the relevant function and returns ResultSuccess.

** KThreadLocalPage::Finalize now returns void + kernel-panics if unmapping the page fails; KProcess::DeleteThreadLocalRegion now returns void instead of Result.

** Every kernel-use of KInterruptManager::BindHandler now panics on failure.

** Every kernel-use of cpu::StoreDataCache and cpu::FlushDataCache and cpu::InvalidateDataCache now panics on failure.

** Every kernel-use of KThread::Initialize now panics on failure

** Every kernel-use of KThread::Run now panics on failure.

** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure

** There are more cases, too many to fully enumerate with high confidence.

=== [[Bluetooth_Driver_services|bluetooth]] ===

The below changes for gatt_process_prep_write_rsp and gatt_process_notification were also backported to [[19.0.2]].

* Updated L_c6720, prev ver @ L_c0cc0. This is gatt_process_prep_write_rsp.

** The input size is now [[Switch_System_Flaws|validated]]. The validation is implemented as: <code>if (0xFDA6 >= (u16)(size-0x25D)) <fail></code>

* Updated L_c6930, prev ver @ L_c0eb0. This is gatt_process_notification.

** The input size bounds check was moved before writing any data to stack, and the bounds check was updated (same as gatt_process_prep_write_rsp above).

** These changes shouldn't matter? The stack data is only used when the bounds check passes, and the previous check also would catch wrap-around.

* ...

=== [[HID_services|hid]] ===

A vuln with hid:dbg was [[Switch_System_Flaws|fixed]].

=== [[LDN_services|ldn]] ===

A vuln was [[Switch_System_Flaws|fixed]].

==See Also==

@@ Line 1: / Line 1: @@
 The Switch 21.0.0 system update was released on November 11, 2025 (UTC). This Switch update was released for the following regions: ALL.
-Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.
+Security flaws fixed: yes.
+As of December 18, 2025 (UTC), this sysupdate (or later?) is now required by [[Network|dauth]].
 ==Change-log==
@@ Line 29: / Line 31: @@
 ** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, ClientCertData, GameCardConfigurationData.
 ** Applets: qlaunch, auth, cabinet, controller, dataErase, error, playerSelect, swkbd, miiEdit, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.
+The [[NGCT_services|ngct]]-sysmodule is now stubbed, the ngct:u service was moved into [[NGC_services|ngc]].
 [[NPDM]] changes (besides usual version-bump):
@@ Line 62: / Line 66: @@
 ** "/lyt/Browse/TapHighlight.arc" added
 ** "/message/": Various data updated.
-** "/nro/netfront/core_0/default/" removed
+** "/nro/netfront/core_0/default/cfi_disabled" moved to "/nro/netfront/core_0/Default/cfi_nocfi".
-** "/nro/netfront/core_0/Default/" added
+** "/nro/netfront/core_3/default/cfi_enabled" moved to "/nro/netfront/core_3/Default/cfi_nncfi".
-** "/nro/netfront/core_3/default/" removed
-** "/nro/netfront/core_3/Default/" added
 * Help: "/legallines.htdocs/index.html" updated
 * NgWord: "/0.txt" updated, "/version.dat" updated
@@ Line 341: / Line 343: @@
 The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].
+==== Kernel ====
+* Compiler was upgraded (to clang 18.1.0+).
+** Besides the usual reordering, this is now most noticeable in the following:
+*** Many atomic st(l)xrs now use cmp + csetm + tbz instead of cbnz.
+**** Testing on godbolt indicates this seems to be a change made in clang 18.1.0+ (not present in 17.0.1).
+*** Many cases where they previously did some_condition ? m_a : m_b now have different assembly.
+**** Previously: add Xn, Xz, #A; add Xm, Xz, #B; csel Xn, Xn, Xm; ldr Xn, [Xn]
+**** Now: mov Xn, #A; mov Xn, #B; csel Xn, Xn, Xm; ldr Xn, [Xz, Xn]
+*** Many cases of booleans now explicitly test for 1 instead of <any non-zero value>
+**** Previously: ldrb w8, [x8]; cbz w8, some_loc
+**** Now: ldrb w8, [x8]; cmp w8, #1; b.ne some_loc
+** Many, many cases of superfluous red-black-tree iteration prior to calls to KIntrusiveRedBlackTree::Remove have finally been optimized out.
+*** Basically, KIntrusiveRedBlackTree::erase returns an iterator to the next item in the tree.
+*** Previously, the table walk to find the next item was being performed even when the result was discarded/not-used, which was almost every case.
+*** Now, it's successfully getting optimized out.
+* KAutoObject's class token has been devirtualized.
+** It is now stored as a 16-bit value in previously unused padding bytes, after the reference count.
+** KAutoObject::Create() sets this to the correct value when setting refcount=1.
+** This implementation is generally identical to the one already present in mesosphere.
+* HandleFloatingPointException now sets a previously unused StackParameters flag (+0x2F) to 1.
+** This flag doesn't seem to be referenced/used anywhere else in the kernel?
+* KThread StackParameter exception_flags bitflags are now volatile and mostly atomic; many bits now use atomic read-modify-write loops to set and clear bits.
+** This is not done for bit 0 ("is in svc"), accesses specifically for bit 0 continue to use non-atomic reads/writes.
+** This generates pretty terrible assembly for GetThreadUserContext, which now must perform a volatile read of this value over and over in a loop.
+* KIoRegion fields were reordered to save 8 bytes.
+** The 8-byte size/alignment lock field is no longer wedged inbetween two 1-byte booleans.
+* KScheduler::SwitchThread now writes a tick differential (thread->GetCpuTime() - context_switch_time) to user-tls + 0x108.
+** NOTE: This is an ABI change which will not affect official software, but will force any homebrew software which uses TLS-slots to need re-compile.
+* UserspaceAccess::CopyMemoryToUserSize32Bit now takes in a 32-bit word to write, instead of a kernel-pointer-to-32-bit-word.
+* Nintendo appears to have done something akin to marking nn::Result nodiscard + gone through and fixed literally every instance of Result return values not being used.
+** This results in sweeping changes (many Result-return functions are now void return, many new kernel panics, some changed behaviors), including e,g,
+** KInterruptManager::ClearInterrupt no longer checks if a handler has been registered, and always clear the table entry.
+** KInterruptManager::UnbindHandler is now void-return instead of Result; it no longer checks if the handler has been registered, and unconditionally clears to unbound state.
+** KPageTableBase::InitializeForKernel now returns void, and panics if the KMemoryBlockManager::Initialize fails.
+** KDebugBase::OnExitProcess/OnTerminateProcess now return void instead of Result.
+** KEvent/KReadableEvent::Signal/Clear now return void instead of Result; svc::ClearEvent/SignalEvent now just calls the relevant function and returns ResultSuccess.
+** KThreadLocalPage::Finalize now returns void + kernel-panics if unmapping the page fails; KProcess::DeleteThreadLocalRegion now returns void instead of Result.
+** Every kernel-use of KInterruptManager::BindHandler now panics on failure.
+** Every kernel-use of cpu::StoreDataCache and cpu::FlushDataCache and cpu::InvalidateDataCache now panics on failure.
+** Every kernel-use of KThread::Initialize now panics on failure
+** Every kernel-use of KThread::Run now panics on failure.
+** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure
+** There are more cases, too many to fully enumerate with high confidence.
+=== [[Bluetooth_Driver_services|bluetooth]] ===
+The below changes for gatt_process_prep_write_rsp and gatt_process_notification were also backported to [[19.0.2]].
+* Updated L_c6720, prev ver @ L_c0cc0. This is gatt_process_prep_write_rsp.
+** The input size is now [[Switch_System_Flaws|validated]]. The validation is implemented as: <code>if (0xFDA6 >= (u16)(size-0x25D)) <fail></code>
+* Updated L_c6930, prev ver @ L_c0eb0. This is gatt_process_notification.
+** The input size bounds check was moved before writing any data to stack, and the bounds check was updated (same as gatt_process_prep_write_rsp above).
+** These changes shouldn't matter? The stack data is only used when the bounds check passes, and the previous check also would catch wrap-around.
+* ...
+=== [[HID_services|hid]] ===
+A vuln with hid:dbg was [[Switch_System_Flaws|fixed]].
+=== [[LDN_services|ldn]] ===
+A vuln was [[Switch_System_Flaws|fixed]].
 ==See Also==